On 18/01/16 16:29, Insu Yun wrote: > When len is greater than UINT_MAX - sizeof(*rb), in next allocation, > it can overflow integer range and allocates small size of heap. > After that, memcpy will overflow the allocated heap. > Therefore, it needs to check the size of given length. [...] > --- a/drivers/xen/xenbus/xenbus_dev_frontend.c > +++ b/drivers/xen/xenbus/xenbus_dev_frontend.c > @@ -186,7 +186,7 @@ static int queue_reply(struct list_head *queue, const > void *data, size_t len) > { > struct read_buffer *rb; > > - if (len == 0) > + if (len == 0 || len >= UINT_MAX - sizeof(*rb)) ^^^^^^^^^^^^^^^^^^^^^^ Please check
len > XENSTORE_PAYLOAD_MAX instead. David _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel